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Innovate to stay competitive 


01 


Faster Payment System 
(FPS) 


04 


Banking Made Easy 
initiative 


02 
Enhanced Fintech 
Supervisory Sandbox 
(FSS) 2.0 


05 
Open Application 
Programming Interface 
(API) 


03 


Promotion of 
Virtual Banking 


06 


Closer cross-border 
collaboration 





All online services may be hacked, 
as a matter of time 


Online Banking Breaches: : ead 
- UK (9000 accounts) 3 >. 
- Canada (~90,000 accounts) 















ive ATM Hacks: 
- Japan (loss: $19m) 

- India (loss: $11.5m) 

- Thailand (loss: $0.35m) 
- US (loss: $1m) 


Singapore 





Note: Only selected, recent and major incidents are shown 3 


Incident can remain undiscovered for a long time 


> Marriott International data breach 2014 - 2018 
e The 2™ biggest corporate data breach in history 
e Guest reservation system exposed for 4 years 


> 500 Million customer information exposed 





> Losses 
e Financial penalties from authorities and class-action lawsuits 
e Damage to company reputation and customer trust 


e Breaches can spread quickly due to interconnectedness of other 
business entities 


Balancing innovation and risk 


> Avoidance vs mitigation? 


Innovation 


> Traditional IT security vs Cybersecurity? 





> Protection Cc Detection + Recovery? 


> Static vs Intelligence-based? 


Addressing cyber risk by 
Cybersecurity Fortification Initiative (CFI) 
Launched in Dec 2016 
v Establish a common risk assessment framework for banks 


v Offer training and certifications in cybersecurity 
v Facilitate sharing of cyber threat intelligence 


Three Pillars of CFI 







Cyber Resilience Professional Cyber Intelligence 
Assessment Framework Development Programme Sharing Platform 
(C-RAF) (PDP) (CISP) 


Good progress for C-RAF 


> C-RAF is an assessment tool to evaluate bank’s cyber resilience, it 
comprises the Inherent Risk and Maturity Assessments, and iCAST. 


Phase 1: Phase 2: Phase 3: 


30 banks 60 banks Remaining ~90 banks 





Inherent Risk Assessment 


and Maturity Assessment Completed Completed End-Sep 2019 


C-RAF 


! Completed ; 
iCAST (27 out of 30) End-Sep 2019 Mid-2020 


some lessons from C-RAF 


> Banks generally mature in cyber resilience, but need 
improvement in 


e Staff security awareness 
e Password management 
e Patching and configuration of systems 


> The concept of iCAST is new to some banks 





> Checklist-based assessment may bring false comfort 


e No issues identified by Maturity assessment but problems 
seen in iCAST (e.g. IDS/SIEM implemented but not well 
configured) 


How to better prepare for iCAST 


> iCAST testers common attack methods (based on threat 
intelligence and experience learnt): oe. 


e Spear phishing targeting at selected bank staff 
e Unauthorized access to office premises 
e Simulated attacks originated from banks' own staff E 





> iICAST testers common targets: 
e Payment related systems 
e Electronic banking systems 6 
e Core banking systems 


Professional Development Programme (PDP) 


> PDP is a framework on qualifications for conducting: 


e Inherent Risk and Maturity Assessments: Recognised 7 equivalent 
certifications from industry 


e iCAST: Certification for individuals, exam statistics since launched 


rr em [Passed 


Level 1 
Level 2 
Level 3 
Level 4 


Practitioner 

Registered 17 10 
Certified 37 2 
Specialist 1 1 


> Certification on company level may help to grow the industry 


Continue to close the talent gap 


> Enhanced Competency Framework on Cybersecurity (ECF-C) 


Growing Talent Pool Size 
ma) Improving Talent Quality 


To further improve talent 
End 2017 End 2018 development, 6 certificates 
m Total no. of practitioners m No. of practitioners meeting ECF-C for C-RAF added to ECF-C 
RECUPE) 
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Cyber Intelligence Sharing Platform (CISP) 


> To facilitate the sharing of cyber threat intelligence 
by banks 


> Soft launched in Dec 2017 and full launched in 
April 2018 


> Utilisation is yet to pick up 





Industry feedback 


> Need harmonisation with other standards 
(reduce compliance efforts) 


> Better clarity on assessment criteria 


> Better clarity on what and when to share 
on CISP 





> Insufficient talent 


> On-going efforts? 


CFI review — Timeline and approach 
ee ee a AE 


Survey and interview 





Industry consultation ——, 
Finalise changes D 


Proposed approaches: 


Feedback / Harmonising Workshop with 


questionnaire / with other CFI- Associations 
interview like initiatives such as HKAB 





Key takeaways 


> Innovation is essential and will soeed up to stay competitive 
> Need to properly address risk in light of increasing cyber threats 
> Framework already in place to work with banks to face challenges 


> Will continue to improve to cope with evolving circumstances 


Thank you 


